SIEM: What Is SIEM, How It Works, and Useful Resources

  • SIEM

What is a SIEM?

SIEM stands for Security information and event management. This technology has existed since the late 1990s. Traditional SIEM has been joined by a broad use log management technology that focuses on collecting various types of logs and events for different purposes, such as:

  • security monitoring
  • threat detection
  • digital forensics
  • security incident response
  • regulatory compliance
  • system management
  • and application troubleshooting

SIEM vendors usually provide different combinations of functionalities to offer the benefits listed above. Log management alone doesn’t provide the ability to handle the diverse use-cases required by modern businesses, so SIEMs are more complicated and mature in how they operate.

How Do SIEM Tools Work?

Most SIEM tools collect and analyze logs. Based on the data gathered, they report and visualize the aggregated data, helping security teams to detect and investigate security threats. The SIEM use cases normally focus on information security, network security, data security as well as regulatory compliance. Most SIEM tools offer a combination (or all of) the following features:

  • Log and context data collection
  • Normalization and categorization
  • Correlation
  • Notification/alerting
  • Prioritization
  • Real-time views
  • Reporting
  • Security role workflow

How did SIEM evolve and How Is the Next-Gen SIEM Any Different?

SIEMs, like any other information security tools, is naturally evolving to meet the ever-changing needs of the organizations. They become “smarter”, and with every day they become more and more useful for many other teams besides DevOps. For example, in our ebook “Audit Trail: Benefits Beyond Forensics” – we reviewed how audit trail has evolved to a powerful tool for demonstrating compliance, improving business processes and detecting fraud. SIEM solutions will continue their evolution process, offering more and more security benefits.

We believe that going forward, some of the important problems that next-gen SIEMs should cover will be:

  • Helping security analysts and sysadmins rather than burdening them with alerts – false positives have always been the bane of SIEMs. Going forward, SIEMs should take steps to reduce the noise. Automation is one of the possible approaches that has become a separate, vibrant category.
  • End-to-end encryption – SIEMs are moving rapidly to the cloud but that poses security and privacy challenges. We believe that everything should be encrypted prior to being sent so that even cloud SIEM vendors can’t have access to the data.
  • Indisputable log integrity – log integrity, non-repudiation, and compliance using our state-of-the-art cryptographic technologies will be a strict requirement in the future, like data manipulation and forensic tampering will be increasingly realized as serious security threats.
  • Machine Learning for immediate anomaly detection – Detecting anomalies in the face of a continuous stream of unstructured data from various sources is challenging. Thanks to the growth of various deep learning technologies, anomaly detection using machine learning is a practical solution today. SIEMs will strive to build robust anomaly detection with machine learning for pinpointing rare event patterns or potential problems.
  • Phishing protectionphishing attempts have grown 65% in the last year alone.  Phishing accounts for 90% of data breaches. Therefore, more and more SIEMs will be offer anti-phishing functionality. Even though SIEMs are typically seen as “monitor-only” with the right automation and response tools, they can effectively stop phishing.
  • Attack-vector specific monitoring – The MITRE ATT&CK framework clarified and publicized how attackers get access to target systems. SIEMs have started mapping events to the MITRE framework, but that’s not enough – there should be dedicated functionalities targeting the most prominent attack vectors. Phishing, as shown above, is just one example.

While “next-gen” isn’t an official term, many SIEMs are gradually moving out of the old “collect logs and apply rules” paradigm into solving problems of the current complex environment.

We, at LogSentinel, are developing such a Next-Gen SIEM, offering a superior business model for a successful SIEM implementation, covering the main obstacles that companies usually face while integrating it:

  • Easy and straight-forward integration
  • Predictable Pricing
  • Bundled Managed Service
  • Excellent Cloud Support

SIEM Resource Bank

If you would like to dig deeper in SIEM and its application in compliance and information security, we have prepared some insightful articles for you:

SIEM Solutions and Data Protection Compliance

The technical aspects of regulations ( e.g. GDPR, SOX, FISMA, HIPAA, etc) require paying better attention to the way companies store their personal data. SIEM systems can ease the process of storing evidence of compliance. They also ensure advanced threat detection of malicious activities. This way the processes become manageable and the data protection officers of medium and big companies can get better visibility over the processes within the organization, as well as to take measures for preventing security incidents. To find out how SIEM solutions can help you in your efforts to achieve regulatory compliance, read our full article. 

Why Mid-Market Companies and SMEs Benefit From SIEM?

Security Information and Event Management (SIEM) has been “reserved” for large enterprises for a long time and therefore vendors largely ignored smaller customers. “Smaller customers” But the problem that SIEM solves are problems that these SME/mid-market organizations have as well. Find out what problems of the SME/mid-market organizations do SIEMS solve, and what are the key reasons that have prevented SME/mid-market organizations to adopt a SIEM so far. Read the whole article here: Why Mid-Market Companies and SMEs Benefit From SIEM

[Free Ebook] SIEM Buyer’s Guide for SMEs

You have probably seen many SIEM buyer’s guides and realized that they are focused on large multinationals and Fortune 500 companies and you find them hard to relate to. However, the SIEM products are no longer targeted just at large corporations (despite the fact that they have a reputation of being quite expensive).

In this e-book, in a nutshell, we have listed the most important criteria and features that you should concentrate on. Download our ‘SIEM Buyer’s Guide’ ebook to learn more details about them:

banner-siem-buyers-guide

Does Your SIEM Guarantee Log Integrity? And Does It Make You Compliant?

SIEMs are meant to collect logs from various sources. These logs, allegedly, can be used later as an audit trail to help figure out what happened. Unfortunately, if you can’t trust the audit logs, you can’t be sure what happened. Not only that – you can’t convince anyone else., and therefore can’t comply with regulatory requirements. To find out how to guarantee log integrity using your SIEM, read this article.

[Free Ebook] Using SIEM for GDPR and NIS Compliance

Regulations such as GDPR  and NIS give EU individuals more control over their personal data, however, they also compel organizations to utilize stronger security and privacy controls when storing or processing personal data.

The technical aspects of both regulations require paying better attention to the way organizations collect, store, and process sensitive data. To help you make sense of these obligations and how you can cover them most effectively, the ebook Using SIEM for GDPR and NIS Compliance reviews GDPR and the NIS directive in the context of how Security Information and Event Management (SIEM) solutions can help in achieving indisputable compliance with all technical aspects.

Ebook SIEM for GDPR and NIS banner

Too often organizations have just one tool (either a SIEM, or a simple log collector, UEBA, Audit Trail, or etc) that collects all logs in hope that the chosen tool covers all purposes for collecting logs. This is often wrong but unfortunately reinforced by the tools’ marketing materials. In this article, we gathered insights about the log collectors landscape, and their best use cases, to help you get a better idea of their functionalities: Log Collectors Landscape: SIEM, Log Collectors, UEBA, and Audit Trail

Log Integrity: How SIEMs Address the Issue and Is It Enough?

Log integrity and non-repudiation are key properties of audit logs. As SIEMs are usually the way to collect audit logs (among many other things) in large organizations, we have to make sure they give us those properties. Learn how SIEMs address this issue and what features to be looking for: Log Integrity: How SIEMs Address the Issue and Is It Enough?

SIEM Costs: Why Are SIEMs Expensive?

SIEM (Security Information and Event Management) systems have a reputation for being expensive. And that’s generally correct – they can cost hundreds of thousands per year or have huge upfront costs. But why is that? Read this article to find out about the top reasons for the SIEMs to be so expensive, and find out what are the cost-efficient solutions suitable for your business: Why Are SIEMs Expensive?

[Free Ebook] Using SIEM for Financial Compliance

The financial sector – from international banks to fintech startups – are required to comply with numerous standards and regulations regarding information security, KYC and AML, open banking, and more. The financial sector is also a primary target of cyber-attacks according to multiple reports.

Security information and event management (SIEM) provide financial companies with critical information to monitor, prevent, and diagnose network security breaches. Download this ebook if you’d like to learn how a Next-Generation SIEM can cover all information security requirements in the financial sector regulations.

Banner Using SIEM For Financial Compliance

Track Events You Have Not Tracked Before

There are a lot of products that allow collecting data, aggregating it, and displaying it for security or monitoring purposes. That includes SIEMs, UEBAs (User and entity behaviour analytics), log collectors, and catch-all multi-purpose data platforms (like Splunk). But what kind of events do they track and which ones of them are critical to your business? Read more in this article: Track Events You Have Not Tracked Before

Three Industry-Specific Aspects of SIEM

Security Information and Event Management systems are considered a “must-have” in many industries. They are effectively a horizontal security tool that improves security posture and improves visibility regardless of the domain specifics. Or at least it seems so at first. We classified some inevitable industry specifics in three different categories – industry-specific data sources, compliance, and threats. To find out insights about each of these categories, read our whole article: Three Industry-Specific Aspects of SIEM

The Three Pillars of SIEM

We have built our LogSentinel SIEM around the three core principles:

  1. Every organization can get value from SIEM
  2. Every security log is important
  3. Every security incident is preventable

That’s how we see the role of our product in the broader security ecosystem. And that’s why we’ve made it simple to use, affordable and predictable. Security is not just for the multinationals and SIEM is a key component in any fight against cyber threats. To find out more about the core principles of SIEM systems, read more here: The Three Pillars of SIEM

[Free On-Demand Webinar]  Security Information and Event Management (SIEM): Benefits and Pitfalls 

 

Security Information and Event Management (SIEM) – What is it, why it matters for security and why do we need it? How simple logs can be turned into actionable insights? In this webinar we’ll be taking a closer look at when is a SIEM needed, what are SIEMs missing and when do they fail to provide value. We’ll review concepts like alert fatigue, threat intelligence, audit log integrity, log privacy, and more. Don’t miss our SIEM Webinar! Register here.



Interested in a SIEM Solution that combines log management, behaviour analytics (UEBA), threat detection, and incident response into a complete security monitoring platform? Talk to us today!

REQUEST DEMO

Like this article? Share it with your network!